Data Security
Posture Management
(DSPM)

Last updated: January 11, 2023

What is Data Security Posture Management?

In the cloud, data travels constantly. It moves between different cloud environments with different security postures. Then it shifts back, or is copied for testing, or moved for backup, shared with a 3rd party, or sometimes just forgotten.

But cloud security tools weren’t designed for a reality where data is always moving. That’s why they were built to serve the same function as on-prem tools - secure the perimeter, and by extension (hopefully) the data stays secure. But the growth of cloud data breaches shows this approach doesn’t work anymore.

DSPM is an approach to data security focused on ensuring that sensitive data always has the correct security posture - regardless of where it’s been duplicated or moved. DSPM tracks and assesses data and its security through its entire lifecycle and across all cloud environments. By providing automatic visibility, risk assessment, and access analysis for cloud data, DSPM ensures that sensitive data is always secured.

Sensitive Data in the Cloud

Why is Cloud Data Security Such a Challenge?  

100 ZB of data (that’s 100,000,000,000,000,000,000,000 bytes) will be stored in the cloud by 2025. 60% of the world’s corporate data is already stored in the cloud.

Part of the reason for this explosion of cloud data is the shifting left of data management and the decentralization of data architecture. Many cloud-first companies have adopted microservices and cloud-driven CI/CD approaches, which enable developers to independently create their own data stores. This results in data flowing between different applications, services, cloud-native users, third party vendors and even countries – all without oversight. What’s more, cloud applications tend to generate a large amount of data as a byproduct of the application – which usually remains unprocessed, uncleaned and unorganized - delivering no value to the organization yet even further muddying the data waters.

Then, there’s shadow data. Shadow data is any organizational data that has been copied, backed up or is otherwise stored such that it is not subject to an organization’s centralized (and secured) data management framework. Despite its potential sensitivity, shadow data is frequently not governed by data security policies, housed according to preferred security structure, subject to access control limitations, or even visible to the tools used to monitor and log data access. Shadow data is a jackpot for hackers – publicly accessible sensitive data that nobody really knows is there. And there’s a LOT of it. We estimate that some 20% of all enterprise data is shadow data.

And of course, we can’t ignore digital supply chain data (sometimes referred to as third party data – even though). All the various cloud-based services and on-demand applications used by cloud-centric or cloud-first enterprises actually make up a tiered ecosystem of services and infrastructures. These digital supply chains are connected to almost every mission-critical service in your company and fed by data of almost every level of sensitivity. And third parties are just the tip of the iceberg. Every third party has its own third parties, who have their own third parties, and so on down the line. This means that the vulnerabilities of your vendors and your vendor’s vendors (and so on…) become vulnerabilities that leave your data exposed.

Data travels through the public cloud

The vast quantities and types of data contribute to today’s cloud data security gap – the chasm between the security of cloud infrastructure and the security of the data housed within it.

Why are Cloud-First Enterprises Adopting DSPM

A cloud-first strategy prioritizes adoption of cloud technologies over legacy IT systems for all new applications, platforms, and infrastructure. Cloud first enterprises are able to avoid the high costs of on-prem deployment, installation, maintenance, and IT infrastructure upgrades. Instead, they choose an option that scales capacity up or down based on need – supporting a manageable, metered cost model.

The data issue is that cloud-first enterprises have a huge number of cloud-based apps creating their huge volume of data in a complex and frequently multi-cloud ecosystem. This makes data protection far more complex, because:

  • Multi-cloud environments and hybrid infrastructures often have inconsistent security regimes.
  • Using public cloud infrastructure can place serious limits on the visibility of data access and sharing.
  • Depending on where it is actually stored, cloud data may be subject to various data protection regulations (GDPR, CCPA, HIPAA, etc.).
  • Highly-distributed cloud computing means that organizations may not understand exactly where all applications – not to mention data - are stored.
  • Security responsibilities in a shared environment may be misunderstood or incorrectly applied.

Since they have trouble knowing where their data is, cloud-first enterprises have a lot more trouble protecting it. With a new awareness that data is actually the core of what they need to protect, cloud-first enterprises are looking to shrink their data attack surface and more closely track who accesses data and what they do with it.

While most of these organizations have implemented Cloud Security Posture Management (CSPM) solutions to secure their cloud infrastructure, they’re now beginning to turn to DSPM to specifically target cloud data protection. DSPM’s cloud-first approach makes it easier for cloud-first companies to discover, classify, assess, prioritize, and remediate data security issues. By turning to solutions that automate data detection and protection, these enterprises are better able to address cloud data security concerns at massive scale.

What's the Difference Between CSPM and DSPM?

CSPM solutions were purpose-built to protect cloud infrastructure by finding vulnerabilities in cloud resources, like VMs and VPC networks. Yet these systems are largely data agnostic. They look for infrastructure vulnerabilities, then try to identify what data is vulnerable because of them. 

Some CSPMs claim to offer DSPM-like functionality. And they may indeed be able to provide basic information on data at risk - like identifying PII in text files in VMs and S3 buckets. Yet because CSPMs start from the infrastructure and work their way in towards the data, they can’t tell you where the data came from or how it’s meant to be secured. These solutions generally don’t know anything about the data itself. And lacking this context, they don’t have enough data awareness to, for example, prioritize remediation based on data sensitivity.

Data Security Posture Management (DSPM) is about the data itself. It provides visibility into where sensitive data is, who can access that data, how it was used, and how robust the data store or application security posture is. 

Advanced DPSM solutions start with in-depth data discovery, complemented by data observability functionality like real-time visibility into data flows, risk, overexposure, access controls and compliance with data security controls. DSPM identifies security gaps and undue exposure – accelerating assessments of how data security posture needs to be strengthened with the right data security controls.  

DPSM connects the dots between data and infrastructure security, allowing security teams to understand what sensitive data is at risk instead of showing them a list of vulnerabilities to remediate. Essentially DSPM adds a layer of data security and data context on top of CPSM. What’s more, the cutting edge of DSPM solutions can actually follow data past infrastructure as a service (IaaS), and into PaaS and SaaS as well.

What to Look for in a DSPM Solution

When looking for the right DSPM solution for your enterprise, consider whether it offers:

  • Agentless Data Discovery – Can your DSPM solution connect to your multi-cloud environment in minutes? Does it offer agentless data discovery that automatically and continuously discovers 100% of data stores without any impact on workload performance, and without the need to configure the connection to the data store or provide specific credentials?
  • Cloud-Native Data Classification – Does your DSPM platform leverage machine learning and metadata clustering to automatically classify data with high level of accuracy? An effective DSPM solution should go far beyond detecting PII. It should be able to detect and accurately label personal, financial, healthcare, and developer secrets, as well as proprietary data, including customer data, HR data, or intellectual property.  
  • Security Posture Assessment – Can your DSPM solution identify sensitive data assets with a weak security posture, including misconfigurations, encryption types, compliance violations, backups and logging for business continuity and auditing, and more? Can it define granular data security controls to secure sensitive data assets regardless of the infrastructure and applications the data is stored in? 
  • Data Access Analysis – Can your DSPM system understand at a glance who can and should take action on what data? Can it automatically raise timely alerts for security teams, such as when third party applications gain sudden access to sensitive data?  Can it monitor IAM identities and roles and reduce the data attack surface by detecting dormant data, inactive users, unused access keys, users without MFA, and more – always with the context of the data at risk?
  • Data Movement Detection – Does your DSPM platform of choice detect when data is copied across cloud data stores, including when it’s processed by data pipelines, ETLs, database migrations or backups? Can it define policies to alert when sensitive data is copied or moved between regions, environments, and networks? Is it able to gain rich context that outlines security drifts, such as excessive permissions, and bring together multiple data owners for easier remediation?
  • Integrations and Multi-Cloud Security - Can your DSPM platform automatically route data security issues and compliance violations to the right teams via integrations to the tools they’re familiar with? And does it offer a multi-cloud data security platform that works across IaaS, PaaS and DBaaS, including AWS, Azure, GCP, Oracle Cloud, Snowflake and Databricks?

Advanced DSPM solutions like Sentra ensure the security and privacy of data not just across cloud providers, but also within applications, containers, and workloads. DSPM is a critical pillar supporting the data security mix – helping control data security for all users, devices and software, and providing complete visibility into data in use, data in motion and data at rest. 

To learn more about how Sentra’s DSPM solution can help secure your cloud data, contact us or just go ahead and watch a demo today!